The ENCS Red Team – Blue Team training teaches anyone working with ICS or smart grids the essentials of cyber security. The training:

  • Raises awareness of ICS cyber security risks
  • Provides an overview of defensive measures
  • Teaches how to detect attacks and respond to them

The ENCS Red Team – Blue Team training lets participants train with a cyber attack on grid operator Operational Technology (OT) systems. In a full day exercise, the IT and OT infrastructures of a grid operator are simulated, including a SCADA system and multiple substations. The Blue team is tasked with protecting the infrastructure, while the Red team tries to hack it. In this way, attackers can learn how to prevent and detect advanced attacks on OT systems.

Target audience

ENCS is offering the Red Team – Blue Team training as an in-house event for 20 to 30 participants. The training works best if the group contains participants with different roles:

  • IT specialists, including system administrators and security officer
  • OT specialists, including SCADA and substation engineers
  • Managers with a responsibility for OT security

One of the key training benefits is improving the communication between these groups.

Learning goals

The Red Team – Blue Team training teaches participants to:

  • Understand the risks of cyber-attacks on OT systems
  • Understand what measures should be taken to prevent cyber-attacks
  • Know how to detect and respond to cyber-attacks

By putting employees usually responsible to defense in the position of an attacker, they gain new insights into how cyber-attacks can happen, and what they can do to prevent or respond to them.

By experiencing a cyber-attack with a group of employees responsible for OT cyber-security, communication on security is improved.

Training program

The training will have a three-day schedule. The training days are divided into the following halves:

  • During the first half, security specialists from ENCS teach the participants in theory and hands-on sessions about the cyber security risks of the Operational Technology (OT) systems, and how these risks can be mitigated
  • During the second half, the participants will experience a realistic cyber-attack in the Red team – Blue team exercise.

The content of each section is described below.

Introduction (theory)

Introduction to the training and the motivation for improving OT security:

  • Understanding how the convergence of IT and OT systems leads to new threats
  • Understanding why changes in the threat landscape require stronger OT security
  • Overview of the session in the training

Network scanning (hands-on)

Learn how to find out what is in OT networks:

  • Detecting computers and services on a network with the nmap scanner
  • Understanding the risks in scanning industrial networks
  • Analyzing network traffic with Wireshark to find computers in a network and understand the communication between them

Vulnerabilities (theory, including demo)

Learn how OT systems are vulnerable to cyber-attacks:

  • Understanding what type of vulnerabilities are commonly found in OT systems and how these can be mitigated
  • Understanding what components are in OT systems and what their function is
  • Understanding how to secure OT protocols
  • Demonstration of the vulnerabilities exploited by the Industroyer malware

Exploits & payloads (hands-on)

Learn how attackers can exploit vulnerabilities:

  • Finding vulnerabilities in website by analyzing code or testing inputs
  • Developing exploits and payloads for web vulnerabilities

Vulnerabilities on websites are used as an example, because participants can develop exploits for them themselves, instead of using only pre-developed exploits. Web vulnerabilities are commonly found on OT components. Many RTUs and IEDs use a web interface to provide easy configuration.

Prevention measures (theory)

Learn what measures organizations can take to prevent cyber-attacks:

  • Setting up an information security management system for OT
  • Designing a security architecture to segregate OT from IT using demilitarized zones, jump servers, and secure technical laptops
  • Using security requirements to procure secure components
  • Evaluating security through audits and tests

Real world attacks (theory)

Learn how real-world threat actors work:

  • Understanding what motivates different threat actors, from script kiddies to nation states
  • Understanding the steps in advanced cyber-attacks, such as Stuxnet and the blackouts in Ukraine

Post-exploitation (hands-on)

Learn how attack tools can be used to move deeper into systems after a initial exploits:

  • Exploiting vulnerabilities with Metasploit and Armitage
  • Using Armitage to create a persistent backdoor, escalate privileges, and extract sensitive information

Response measures (theory)

Learn what measures organizations can use to detect and respond to security incidents:

  • Setting up an OT security operations team for detection and response
  • Selecting detection use cases to mitigate attacks
  • Using specialized network-based security sensors for OT systems

Red team – Blue team exercise

The Blue team is the OT security operations team for a grid operator. They have three tasks:

  • Find the vulnerabilities in the OT systems and determine mitigations
  • Detect security incidents
  • Investigate the security incidents and possibly respond to them

The Blue team is split into three subteams which different technologies to monitor the OT systems. The IT subteam uses IT a vulnerability scanner and network intrusion detection system. The network team uses the flow whitelisting and deep-packet inspection techniques used in specialized OT security sensors. The host team looks at the security logs on hosts in the OT systems.

The Red Team plays a group of hackers. Their tasks are:

  • Enter the Blue Team’s networks and establish permanent access
  • Extract confidential information from the systems
  • Gain access to the OT systems and disrupt them

Both teams get points based on how well they perform their tasks. At the end of the day, the team with the most points wins.

In the exercise participants can practice skills they learned during the first two days. They can choose different roles based on what they want to learn.

Exercise debriefing

In the exercise debriefing, participants analyze what happened in the exercise to apply the lessons learned to their own organization.

The debriefing starts with presentations of both teams:

  • The leader of each team presents a timeline of what they did during the exercise
  • Participants in different roles are asked to share their experiences
  • ENCS exercise moderators point out what each team did well and what they could have done better

After these presentations, participants are asked how what they learned in the training can be applied in their own work:

  • The participants formulate the biggest OT risks they see
  • The participants think of improvements to mitigate these risks

Extra Information

Click here for the factsheet of the training.

Training location

The Hague or in-company.

Training dates

Trainings planned in 2020:

dates will follow asap

Training duration

The training consists of three days.

Day 1: 09:00 – 17:00

Day 2: 09:00 – 17:00

Day 3: 09:00 – 17:00

On the evening of day 1 there is a dinner to allow for networking.

Who can participate the training

The ENCS Red Team – Blue Team (RTBT) Training is for everyone working in the ICS and Smart Grid Domain and who wants to learn more about the essentials of Cyber Security.
This training will be useful for people working in among others these domains with the following job titles:
Managers (Asset management, risk management, IT/OT management), (Security) Consultants, Engineers, (Web) Developers

Costs of training

Ask for a proposal, more info or register?

click here